> Should we log startup events in mysql_audit_initialize() and shutdown events in mysql_audit_finalize(), so that the API can
> stay the same?

It makes sence to me.

Hi holyfoot, GeoffMontee. Audits are typically about user activities on database objects and on accessing the server as such. A server startup or shutdown is more about monitoring a server instance. I would not mix these use cases. Also, are mysql_audit_initialize() and mysql_audit_finalize() really only called on Server startup and shutdown?

Hi ralf.gebhardt@mariadb.com,

Audits are typically about user activities on database objects and on accessing the server as such. A server startup or shutdown is more about monitoring a server instance. I would not mix these use cases.

I would personally consider issuing a shutdown/startup request to be a form of "accessing the server" as well as performing an activity that can potentially affect all "database objects".

Shutdowns and startups could definitely be relevant in an audit. Especially if the auditors suspect a rogue DBA of adding options to my.cnf or other configuration files as a way to bypass security mechanisms.

Also, are mysql_audit_initialize() and mysql_audit_finalize() really only called on Server startup and shutdown?

Yeah, it does appear so.

https://github.com/MariaDB/server/blob/mariadb-10.4.5/sql/mysqld.cc#L5630

https://github.com/MariaDB/server/blob/mariadb-10.4.5/sql/mysqld.cc#L1932

Hi, GeoffMontee, ralf.gebhardt@mariadb.com!
To me logging the server shutdowns/startups seems like a different level. User with such capabilities can do a lot more than just modify the .my.cnf file. Server can be started without the plugins for instance.
So it's difficult to rely on what's in the audit plugin log in this case.